Patch Newsday April – Pre-Easter Patches

With Autopatch coming over the horizon to help security teams prioritize and patch with a greater deal of automation, the monthly Patch Tuesday regime may soon become a thing of InfoSec lore.

However, before disappearing for the Easter break, security admins need to deal with some moderately serious vulnerabilities (one already being actively exploited) as highlighted by this month’s Patch Tuesday.

CVE-2022-24521

Top of the priority list this month should be CVE-2022-24521. While only scoring 7.2, it is seeing active exploitation. Being a privilege escalation vulnerability – this would indicate a threat actor is currently using it to aid lateral movement to capitalize on a pre-existing foothold.

Pair of Nasty Remote Code Execs

A pair of 9.8 scoring remote code execution vulnerabilities (CVE-2022-24491 and CVE-2022-24497) in Windows Network File System (NFS) could also be damaging. These vulnerabilities may appeal to ransomware operators as they provide the potential to expose critical data. It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.

Server Message Block Hole – Remember WannaCry?

Another remotely executable vulnerability with a 9.8 score, this time in Server Message Block (SMB), is a potential headache for security teams. It’s of particular note as we approach the anniversary of WannaCry, which famously used the EternalBlue SMB vulnerability to propagate at great pace. Microsoft advises blocking TCP port 445 at the perimeter firewall, which is strong advice regardless of this specific vulnerability. While this won't stop exploitation from attackers inside the local network, it will prevent new attacks originating from the Internet.

It is telling that more vulnerabilities this month marked ‘exploitation more likely’ are privilege escalation. This speaks to its increasing popularity as a technique, providing lateral movement to critical and high value targets once attackers have gained initial access.

Will Autopatch End the Monthly Pain?

So, plenty of testing and patching to do before the holidays. But the good news is that after nearly 20 years, the monthly Microsoft routine might finally be on the way out. From the summer onwards, the Redmond based giant will offer free, automated patching for Windows 10, 11 and 365 Enterprise users.

The automated rollout will run to a test deployment batch of machines on any network first, to check for possible issues. Good news. But we’re betting that the second Tuesday of the month will still be a busy day for security admins for a while to come, especially as it has been adopted by other software companies as a day for patching.

Kev Breen,
Director of Cyber Threat Research,
Immersive Labs

@kevthehermit